Windows 10 Security Technical Implementation Guide
The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Version
Date
Finding Count ( 277 )
Export Options

Requirements

IDs Severity Title
Vuln ID: V-63319
Rule ID: SV-77809r1_rule
Show Details
Medium Domain-joined systems must use Windows 10 Enterprise Edition.
Vuln ID: V-63321
Rule ID: SV-77811r1_rule
Show Details
Medium Users must be prevented from changing installation options.
Vuln ID: V-63323
Rule ID: SV-77813r3_rule
Show Details
Low Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
Vuln ID: V-63325
Rule ID: SV-77815r1_rule
Show Details
High The Windows Installer Always install with elevated privileges must be disabled.
Vuln ID: V-63329
Rule ID: SV-77819r1_rule
Show Details
Medium Users must be notified if a web-based program attempts to install software.
Vuln ID: V-63333
Rule ID: SV-77823r1_rule
Show Details
Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
Vuln ID: V-63335
Rule ID: SV-77825r1_rule
Show Details
High The Windows Remote Management (WinRM) client must not use Basic authentication.
Vuln ID: V-63337
Rule ID: SV-77827r1_rule
Show Details
High Mobile systems must encrypt all disks to protect the confidentiality and integrity of all information at rest.
Vuln ID: V-63339
Rule ID: SV-77829r1_rule
Show Details
Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
Vuln ID: V-63341
Rule ID: SV-77831r1_rule
Show Details
Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
Vuln ID: V-63343
Rule ID: SV-77833r1_rule
Show Details
Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
Vuln ID: V-63345
Rule ID: SV-77835r2_rule
Show Details
Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Vuln ID: V-63347
Rule ID: SV-77837r1_rule
Show Details
High The Windows Remote Management (WinRM) service must not use Basic authentication.
Vuln ID: V-63349
Rule ID: SV-77839r2_rule
Show Details
High Systems must be maintained at a supported servicing level.
Vuln ID: V-63351
Rule ID: SV-77841r2_rule
Show Details
High An approved, up-to-date, DoD antivirus program must be installed and used.
Vuln ID: V-63353
Rule ID: SV-77843r1_rule
Show Details
High Local volumes must be formatted using NTFS.
Vuln ID: V-63355
Rule ID: SV-77845r1_rule
Show Details
Medium Alternate operating systems must not be permitted on the same system.
Vuln ID: V-63357
Rule ID: SV-77847r1_rule
Show Details
Medium Non system-created file shares on a system must limit access to groups that require it.
Vuln ID: V-63359
Rule ID: SV-77849r1_rule
Show Details
Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.
Vuln ID: V-63361
Rule ID: SV-77851r1_rule
Show Details
High Only accounts responsible for the administration of a system must have Administrator rights on the system.
Vuln ID: V-63363
Rule ID: SV-77853r1_rule
Show Details
Medium Only accounts responsible for the backup operations must be members of the Backup Operators group.
Vuln ID: V-63365
Rule ID: SV-77855r1_rule
Show Details
Medium Users must not be allowed to run virtual machines in Hyper-V on the system.
Vuln ID: V-63367
Rule ID: SV-77857r1_rule
Show Details
Low Standard local user accounts must not exist on a system in a domain.
Vuln ID: V-63369
Rule ID: SV-77859r1_rule
Show Details
Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
Vuln ID: V-63371
Rule ID: SV-77861r1_rule
Show Details
Medium Accounts must be configured to require password expiration.
Vuln ID: V-63373
Rule ID: SV-77863r1_rule
Show Details
Medium Permissions for system files and directories must conform to minimum requirements.
Vuln ID: V-63375
Rule ID: SV-77865r1_rule
Show Details
Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
Vuln ID: V-63377
Rule ID: SV-77867r1_rule
Show Details
High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
Vuln ID: V-63379
Rule ID: SV-77869r2_rule
Show Details
High The Enhanced Mitigation Experience Toolkit (EMET) v5.5 or later must be installed on the system.
Vuln ID: V-63381
Rule ID: SV-77871r1_rule
Show Details
Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
Vuln ID: V-63383
Rule ID: SV-77873r1_rule
Show Details
Medium Simple TCP/IP Services must not be installed on the system.
Vuln ID: V-63385
Rule ID: SV-77875r1_rule
Show Details
Medium The Telnet Client must not be installed on the system.
Vuln ID: V-63387
Rule ID: SV-77877r3_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Internet Explorer must be enabled.
Vuln ID: V-63389
Rule ID: SV-77879r1_rule
Show Details
Medium The TFTP Client must not be installed on the system.
Vuln ID: V-63391
Rule ID: SV-77881r3_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Popular Software must be enabled.
Vuln ID: V-63393
Rule ID: SV-77883r1_rule
Show Details
Medium Software certificate installation files must be removed from a system.
Vuln ID: V-63395
Rule ID: SV-77885r2_rule
Show Details
Medium The HBSS McAfee Agent must be installed.
Vuln ID: V-63397
Rule ID: SV-77887r3_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Protections for Recommended Software must be enabled.
Vuln ID: V-63399
Rule ID: SV-77889r1_rule
Show Details
Medium A host-based firewall must be installed and enabled on the system.
Vuln ID: V-63401
Rule ID: SV-77891r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Address Space Layout Randomization (ASLR) must be enabled and configured to Application Opt In.
Vuln ID: V-63403
Rule ID: SV-77893r1_rule
Show Details
Medium Inbound exceptions to the firewall on domain workstations must only allow authorized remote management hosts.
Vuln ID: V-63405
Rule ID: SV-77895r1_rule
Show Details
Medium The lockout duration must be configured to require an administrator to unlock an account.
Vuln ID: V-63407
Rule ID: SV-77897r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Data Execution Prevention (DEP) must be enabled and configured to at least Application Opt Out.
Vuln ID: V-63409
Rule ID: SV-77899r1_rule
Show Details
Medium The number of allowed bad logon attempts must be configured to 3 or less.
Vuln ID: V-63411
Rule ID: SV-77901r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) system-wide Structured Exception Handler Overwrite Protection (SEHOP) must be configured to Application Opt Out.
Vuln ID: V-63413
Rule ID: SV-77903r1_rule
Show Details
Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
Vuln ID: V-63415
Rule ID: SV-77905r2_rule
Show Details
Medium The password history must be configured to 24 passwords remembered.
Vuln ID: V-63417
Rule ID: SV-77907r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Deep Hooks.
Vuln ID: V-63419
Rule ID: SV-77909r1_rule
Show Details
Medium The maximum password age must be configured to 60 days or less.
Vuln ID: V-63421
Rule ID: SV-77911r1_rule
Show Details
Medium The minimum password age must be configured to at least 1 day.
Vuln ID: V-63423
Rule ID: SV-77913r1_rule
Show Details
Medium Passwords must, at a minimum, be 14 characters.
Vuln ID: V-63425
Rule ID: SV-77915r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Anti Detours.
Vuln ID: V-63427
Rule ID: SV-77917r1_rule
Show Details
Medium The built-in Microsoft password complexity filter must be enabled.
Vuln ID: V-63429
Rule ID: SV-77919r1_rule
Show Details
High Reversible password encryption must be disabled.
Vuln ID: V-63431
Rule ID: SV-77921r1_rule
Show Details
Medium The system must be configured to audit Account Logon - Credential Validation failures.
Vuln ID: V-63433
Rule ID: SV-77923r2_rule
Show Details
Medium The Enhanced Mitigation Experience Toolkit (EMET) Default Actions and Mitigations Settings must enable Banned Functions.
Vuln ID: V-63435
Rule ID: SV-77925r1_rule
Show Details
Medium The system must be configured to audit Account Logon - Credential Validation successes.
Vuln ID: V-63437
Rule ID: SV-77927r1_rule
Show Details
Medium The Windows Error Reporting Service must be running and configured to start automatically.
Vuln ID: V-63439
Rule ID: SV-77929r1_rule
Show Details
Medium The system must be configured to audit Account Management - Other Account Management Events failures.
Vuln ID: V-63441
Rule ID: SV-77931r1_rule
Show Details
Medium The system must be configured to audit Account Management - Other Account Management Events successes.
Vuln ID: V-63443
Rule ID: SV-77933r1_rule
Show Details
Medium The system must be configured to audit Account Management - Security Group Management failures.
Vuln ID: V-63445
Rule ID: SV-77935r1_rule
Show Details
Medium The system must be configured to audit Account Management - Security Group Management successes.
Vuln ID: V-63447
Rule ID: SV-77937r1_rule
Show Details
Medium The system must be configured to audit Account Management - User Account Management failures.
Vuln ID: V-63449
Rule ID: SV-77939r1_rule
Show Details
Medium The system must be configured to audit Account Management - User Account Management successes.
Vuln ID: V-63451
Rule ID: SV-77941r1_rule
Show Details
Medium The system must be configured to audit Detailed Tracking - PNP Activity successes.
Vuln ID: V-63453
Rule ID: SV-77943r1_rule
Show Details
Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
Vuln ID: V-63455
Rule ID: SV-77945r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Account Lockout successes.
Vuln ID: V-63457
Rule ID: SV-77947r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Group Membership successes.
Vuln ID: V-63459
Rule ID: SV-77951r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Logoff successes.
Vuln ID: V-63461
Rule ID: SV-77949r1_rule
Show Details
Medium The system must be configured to generate error reports.
Vuln ID: V-63463
Rule ID: SV-77953r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Logon failures.
Vuln ID: V-63467
Rule ID: SV-77957r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Logon successes.
Vuln ID: V-63469
Rule ID: SV-77959r1_rule
Show Details
Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
Vuln ID: V-63471
Rule ID: SV-77961r1_rule
Show Details
Medium The system must be configured to audit Object Access - Removable Storage failures.
Vuln ID: V-63473
Rule ID: SV-77963r1_rule
Show Details
Medium The system must be configured to audit Object Access - Removable Storage successes.
Vuln ID: V-63475
Rule ID: SV-77965r2_rule
Show Details
Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
Vuln ID: V-63479
Rule ID: SV-77969r2_rule
Show Details
Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
Vuln ID: V-63481
Rule ID: SV-77971r1_rule
Show Details
Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
Vuln ID: V-63483
Rule ID: SV-77973r1_rule
Show Details
Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
Vuln ID: V-63487
Rule ID: SV-77977r1_rule
Show Details
Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
Vuln ID: V-63489
Rule ID: SV-77979r1_rule
Show Details
Medium The system must be configured to save Error Reporting events and messages to the system event log.
Vuln ID: V-63491
Rule ID: SV-77981r1_rule
Show Details
Medium The system must be configured to audit System - IPSec Driver failures.
Vuln ID: V-63493
Rule ID: SV-77983r1_rule
Show Details
Medium The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent.
Vuln ID: V-63495
Rule ID: SV-77985r1_rule
Show Details
Medium The system must be configured to audit System - IPSec Driver successes.
Vuln ID: V-63497
Rule ID: SV-77987r1_rule
Show Details
Medium The system must be configured to collect multiple error reports of the same event type.
Vuln ID: V-63499
Rule ID: SV-77989r1_rule
Show Details
Medium The system must be configured to audit System - Other System Events successes.
Vuln ID: V-63503
Rule ID: SV-77993r1_rule
Show Details
Medium The system must be configured to audit System - Other System Events failures.
Vuln ID: V-63505
Rule ID: SV-77995r1_rule
Show Details
Medium The system must be configured to prevent the display of error messages to the user.
Vuln ID: V-63507
Rule ID: SV-77997r1_rule
Show Details
Medium The system must be configured to audit System - Security State Change successes.
Vuln ID: V-63511
Rule ID: SV-78001r1_rule
Show Details
Medium The system must be configured to audit System - Security System Extension failures.
Vuln ID: V-63513
Rule ID: SV-78003r1_rule
Show Details
Medium The system must be configured to audit System - Security System Extension successes.
Vuln ID: V-63515
Rule ID: SV-78005r1_rule
Show Details
Medium The system must be configured to audit System - System Integrity failures.
Vuln ID: V-63517
Rule ID: SV-78007r1_rule
Show Details
Medium The system must be configured to audit System - System Integrity successes.
Vuln ID: V-63519
Rule ID: SV-78009r1_rule
Show Details
Medium The Application event log size must be configured to 32768 KB or greater.
Vuln ID: V-63521
Rule ID: SV-78011r2_rule
Show Details
Medium The system must be configured to use a Corporate Error Reporting (CER) server for collecting crashes or for saving them locally.
Vuln ID: V-63523
Rule ID: SV-78013r1_rule
Show Details
Medium The Security event log size must be configured to 196608 KB or greater.
Vuln ID: V-63525
Rule ID: SV-78015r1_rule
Show Details
Medium The system must be configured to use SSL to forward error reports.
Vuln ID: V-63527
Rule ID: SV-78017r1_rule
Show Details
Medium The System event log size must be configured to 32768 KB or greater.
Vuln ID: V-63533
Rule ID: SV-78023r1_rule
Show Details
Medium Permissions for the Application event log must prevent access by non-privileged accounts.
Vuln ID: V-63535
Rule ID: SV-78025r1_rule
Show Details
Medium The system must be configured to archive error reports.
Vuln ID: V-63537
Rule ID: SV-78027r1_rule
Show Details
Medium Permissions for the Security event log must prevent access by non-privileged accounts.
Vuln ID: V-63539
Rule ID: SV-78029r1_rule
Show Details
Medium The system must be configured to store all data in the error report archive.
Vuln ID: V-63541
Rule ID: SV-78031r1_rule
Show Details
Medium Permissions for the System event log must prevent access by non-privileged accounts.
Vuln ID: V-63543
Rule ID: SV-78033r1_rule
Show Details
Medium The maximum number of error reports to archive on a system must be configured to 100 or greater.
Vuln ID: V-63545
Rule ID: SV-78035r1_rule
Show Details
Medium Camera access from the lock screen must be disabled.
Vuln ID: V-63547
Rule ID: SV-78037r1_rule
Show Details
Medium The system must be configured to queue error reports until a local or DOD-wide collector is available.
Vuln ID: V-63549
Rule ID: SV-78039r1_rule
Show Details
Medium The display of slide shows on the lock screen must be disabled.
Vuln ID: V-63551
Rule ID: SV-78041r2_rule
Show Details
Medium Automatic logons must be disabled.
Vuln ID: V-63555
Rule ID: SV-78045r1_rule
Show Details
Medium IPv6 source routing must be configured to highest protection.
Vuln ID: V-63557
Rule ID: SV-78047r1_rule
Show Details
Medium The system must be configured to add all error reports to the queue.
Vuln ID: V-63559
Rule ID: SV-78049r1_rule
Show Details
Medium The system must be configured to prevent IP source routing.
Vuln ID: V-63561
Rule ID: SV-78051r1_rule
Show Details
Medium The maximum number of error reports to queue on a system must be configured to 50 or greater.
Vuln ID: V-63563
Rule ID: SV-78053r1_rule
Show Details
Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
Vuln ID: V-63565
Rule ID: SV-78055r1_rule
Show Details
Medium The system must be configured to attempt to forward queued error reports once a day.
Vuln ID: V-63567
Rule ID: SV-78057r1_rule
Show Details
Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
Vuln ID: V-63569
Rule ID: SV-78059r1_rule
Show Details
Medium Insecure logons to an SMB server must be disabled.
Vuln ID: V-63571
Rule ID: SV-78061r1_rule
Show Details
Medium The system must be configured to automatically consent to send all data requested by a local or DOD-wide error collection site.
Vuln ID: V-63573
Rule ID: SV-78063r1_rule
Show Details
Medium All Direct Access traffic must be routed through the internal network.
Vuln ID: V-63575
Rule ID: SV-78065r1_rule
Show Details
Medium The system must be configured to permit the default consent levels of Windows Error Reporting to override any other consent policy setting.
Vuln ID: V-63577
Rule ID: SV-78067r1_rule
Show Details
Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
Vuln ID: V-63579
Rule ID: SV-78069r2_rule
Show Details
Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
Vuln ID: V-63581
Rule ID: SV-78071r1_rule
Show Details
Medium Simultaneous connections to the Internet or a Windows domain must be limited.
Vuln ID: V-63583
Rule ID: SV-78073r2_rule
Show Details
Medium The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
Vuln ID: V-63585
Rule ID: SV-78075r1_rule
Show Details
Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
Vuln ID: V-63587
Rule ID: SV-78077r2_rule
Show Details
Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
Vuln ID: V-63589
Rule ID: SV-78079r2_rule
Show Details
Medium The US DoD CCEB Interoperability Root CA cross-certificate must be installed in the Untrusted Certificates Store on unclassified systems.
Vuln ID: V-63591
Rule ID: SV-78081r1_rule
Show Details
Medium Wi-Fi Sense must be disabled.
Vuln ID: V-63593
Rule ID: SV-78083r1_rule
Show Details
Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
Vuln ID: V-63595
Rule ID: SV-78085r3_rule
Show Details
Low Virtualization Based Security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
Vuln ID: V-63597
Rule ID: SV-78087r1_rule
Show Details
Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
Vuln ID: V-63599
Rule ID: SV-78089r3_rule
Show Details
Low Credential Guard must be running on domain-joined systems.
Vuln ID: V-63601
Rule ID: SV-78091r1_rule
Show Details
Medium The built-in administrator account must be disabled.
Vuln ID: V-63603
Rule ID: SV-78093r3_rule
Show Details
Low Virtualization-based protection of code integrity must be enabled on domain-joined systems.
Vuln ID: V-63607
Rule ID: SV-78097r1_rule
Show Details
Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
Vuln ID: V-63609
Rule ID: SV-78099r1_rule
Show Details
Medium Group Policy objects must be reprocessed even if they have not changed.
Vuln ID: V-63611
Rule ID: SV-78101r1_rule
Show Details
Medium The built-in guest account must be disabled.
Vuln ID: V-63613
Rule ID: SV-78103r1_rule
Show Details
Medium Group Policies must be refreshed in the background if the user is logged on.
Vuln ID: V-63615
Rule ID: SV-78105r1_rule
Show Details
Medium Downloading print driver packages over HTTP must be prevented.
Vuln ID: V-63617
Rule ID: SV-78107r1_rule
Show Details
Medium Local accounts with blank passwords must be restricted to prevent access from the network.
Vuln ID: V-63619
Rule ID: SV-78109r1_rule
Show Details
Medium The built-in administrator account must be renamed.
Vuln ID: V-63621
Rule ID: SV-78111r1_rule
Show Details
Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
Vuln ID: V-63623
Rule ID: SV-78113r1_rule
Show Details
Medium Printing over HTTP must be prevented.
Vuln ID: V-63625
Rule ID: SV-78115r1_rule
Show Details
Medium The built-in guest account must be renamed.
Vuln ID: V-63627
Rule ID: SV-78117r1_rule
Show Details
Medium Systems must at least attempt device authentication using certificates.
Vuln ID: V-63629
Rule ID: SV-78119r1_rule
Show Details
Medium The network selection user interface (UI) must not be displayed on the logon screen.
Vuln ID: V-63631
Rule ID: SV-78121r1_rule
Show Details
Medium Connected users on domain-joined computers must not be enumerated.
Vuln ID: V-63633
Rule ID: SV-78123r1_rule
Show Details
Medium Local users on domain-joined computers must not be enumerated.
Vuln ID: V-63635
Rule ID: SV-78125r1_rule
Show Details
Medium Audit policy using subcategories must be enabled.
Vuln ID: V-63637
Rule ID: SV-78127r1_rule
Show Details
Medium Signing in using a PIN must be turned off.
Vuln ID: V-63639
Rule ID: SV-78129r1_rule
Show Details
Medium Outgoing secure channel traffic must be encrypted or signed.
Vuln ID: V-63641
Rule ID: SV-78131r1_rule
Show Details
Medium The system must be configured to block untrusted fonts from loading.
Vuln ID: V-63643
Rule ID: SV-78133r1_rule
Show Details
Medium Outgoing secure channel traffic must be encrypted when possible.
Vuln ID: V-63645
Rule ID: SV-78135r1_rule
Show Details
Medium Users must be prompted for a password on resume from sleep (on battery).
Vuln ID: V-63647
Rule ID: SV-78137r1_rule
Show Details
Medium Outgoing secure channel traffic must be signed when possible.
Vuln ID: V-63649
Rule ID: SV-78139r1_rule
Show Details
Medium The user must be prompted for a password on resume from sleep (plugged in).
Vuln ID: V-63651
Rule ID: SV-78141r1_rule
Show Details
High Solicited Remote Assistance must not be allowed.
Vuln ID: V-63653
Rule ID: SV-78143r1_rule
Show Details
Low The computer account password must not be prevented from being reset.
Vuln ID: V-63655
Rule ID: SV-78145r1_rule
Show Details
Medium Client computers must be required to authenticate for RPC communication.
Vuln ID: V-63657
Rule ID: SV-78147r1_rule
Show Details
Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
Vuln ID: V-63659
Rule ID: SV-78149r1_rule
Show Details
Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
Vuln ID: V-63661
Rule ID: SV-78151r1_rule
Show Details
Low The maximum age for machine account passwords must be configured to 30 days or less.
Vuln ID: V-63663
Rule ID: SV-78153r1_rule
Show Details
Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
Vuln ID: V-63665
Rule ID: SV-78155r1_rule
Show Details
Medium The system must be configured to require a strong session key.
Vuln ID: V-63667
Rule ID: SV-78157r1_rule
Show Details
High Autoplay must be turned off for non-volume devices.
Vuln ID: V-63669
Rule ID: SV-78159r1_rule
Show Details
Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
Vuln ID: V-63671
Rule ID: SV-78161r1_rule
Show Details
High The default autorun behavior must be configured to prevent autorun commands.
Vuln ID: V-63673
Rule ID: SV-78163r1_rule
Show Details
High Autoplay must be disabled for all drives.
Vuln ID: V-63675
Rule ID: SV-78165r1_rule
Show Details
Medium The required legal notice must be configured to display before console logon.
Vuln ID: V-63677
Rule ID: SV-78167r1_rule
Show Details
Medium Enhanced anti-spoofing when available must be enabled for facial recognition.
Vuln ID: V-63679
Rule ID: SV-78169r1_rule
Show Details
Medium Administrator accounts must not be enumerated during elevation.
Vuln ID: V-63681
Rule ID: SV-78171r1_rule
Show Details
Low The Windows dialog box title for the legal banner must be configured.
Vuln ID: V-63683
Rule ID: SV-78173r1_rule
Show Details
Medium Windows Telemetry must be configured to the lowest level of data sent to Microsoft.
Vuln ID: V-63685
Rule ID: SV-78175r1_rule
Show Details
Medium The Windows SmartScreen must be configured to require approval from an administrator before running downloaded unknown software.
Vuln ID: V-63687
Rule ID: SV-78177r1_rule
Show Details
Low Caching of logon credentials must be limited.
Vuln ID: V-63689
Rule ID: SV-78179r1_rule
Show Details
Medium Explorer Data Execution Prevention must be enabled.
Vuln ID: V-63691
Rule ID: SV-78181r1_rule
Show Details
Low Turning off File Explorer heap termination on corruption must be disabled.
Vuln ID: V-63693
Rule ID: SV-78183r1_rule
Show Details
Low Domain Controller authentication must not be required to unlock the workstation.
Vuln ID: V-63695
Rule ID: SV-78185r1_rule
Show Details
Medium File Explorer shell protocol must run in protected mode.
Vuln ID: V-63697
Rule ID: SV-78187r1_rule
Show Details
Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
Vuln ID: V-63699
Rule ID: SV-78189r1_rule
Show Details
Medium Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge.
Vuln ID: V-63701
Rule ID: SV-78191r1_rule
Show Details
Medium Users must not be allowed to ignore SmartScreen filter warnings for unverified files in Microsoft Edge.
Vuln ID: V-63703
Rule ID: SV-78193r1_rule
Show Details
Medium The Windows SMB client must be configured to always perform SMB packet signing.
Vuln ID: V-63705
Rule ID: SV-78195r1_rule
Show Details
Medium InPrivate browsing in Microsoft Edge must be disabled.
Vuln ID: V-63707
Rule ID: SV-78197r1_rule
Show Details
Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
Vuln ID: V-63709
Rule ID: SV-78199r1_rule
Show Details
Medium The password manager function in the Edge browser must be disabled.
Vuln ID: V-63711
Rule ID: SV-78201r1_rule
Show Details
Medium Unencrypted passwords must not be sent to third-party SMB Servers.
Vuln ID: V-63713
Rule ID: SV-78203r1_rule
Show Details
Medium The SmartScreen filter for Microsoft Edge must be enabled.
Vuln ID: V-63715
Rule ID: SV-78205r1_rule
Show Details
Low The amount of idle time required before suspending a session must be configured to 15 minutes or less.
Vuln ID: V-63717
Rule ID: SV-78207r2_rule
Show Details
Medium The use of a hardware security device with Microsoft Passport for Work must be enabled.
Vuln ID: V-63719
Rule ID: SV-78209r1_rule
Show Details
Medium The Windows SMB server must be configured to always perform SMB packet signing.
Vuln ID: V-63721
Rule ID: SV-78211r1_rule
Show Details
Medium The minimum pin length for Microsoft Passport for Work must be 6 characters or greater.
Vuln ID: V-63723
Rule ID: SV-78213r1_rule
Show Details
Medium The Windows SMB server must perform SMB packet signing when possible.
Vuln ID: V-63725
Rule ID: SV-78215r1_rule
Show Details
Medium The use of OneDrive for storage must be disabled.
Vuln ID: V-63727
Rule ID: SV-78217r1_rule
Show Details
Low Users must be forcibly disconnected when their logon hours expire.
Vuln ID: V-63729
Rule ID: SV-78219r1_rule
Show Details
Medium Passwords must not be saved in the Remote Desktop Client.
Vuln ID: V-63731
Rule ID: SV-78221r1_rule
Show Details
Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
Vuln ID: V-63733
Rule ID: SV-78223r1_rule
Show Details
Medium Remote Desktop Services must always prompt a client for passwords upon connection.
Vuln ID: V-63735
Rule ID: SV-78225r1_rule
Show Details
Medium The service principal name (SPN) target name validation level must be configured to Accept if provided by client.
Vuln ID: V-63737
Rule ID: SV-78227r1_rule
Show Details
Medium The Remote Desktop Session Host must require secure RPC communications.
Vuln ID: V-63739
Rule ID: SV-78229r1_rule
Show Details
High Anonymous SID/Name translation must not be allowed.
Vuln ID: V-63741
Rule ID: SV-78231r1_rule
Show Details
Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
Vuln ID: V-63743
Rule ID: SV-78233r1_rule
Show Details
Medium Attachments must be prevented from being downloaded from RSS feeds.
Vuln ID: V-63745
Rule ID: SV-78235r1_rule
Show Details
High Anonymous enumeration of SAM accounts must not be allowed.
Vuln ID: V-63747
Rule ID: SV-78237r1_rule
Show Details
Medium Basic authentication for RSS feeds over HTTP must not be used.
Vuln ID: V-63749
Rule ID: SV-78239r1_rule
Show Details
High Anonymous enumeration of shares must be restricted.
Vuln ID: V-63751
Rule ID: SV-78241r1_rule
Show Details
Medium Indexing of encrypted files must be turned off.
Vuln ID: V-63753
Rule ID: SV-78243r1_rule
Show Details
Medium The system must be configured to prevent the storage of passwords and credentials.
Vuln ID: V-63755
Rule ID: SV-78245r1_rule
Show Details
Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
Vuln ID: V-63759
Rule ID: SV-78249r1_rule
Show Details
High Anonymous access to Named Pipes and Shares must be restricted.
Vuln ID: V-63761
Rule ID: SV-78251r1_rule
Show Details
Medium The system must be configured to use the Classic security model.
Vuln ID: V-63763
Rule ID: SV-78253r1_rule
Show Details
Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
Vuln ID: V-63765
Rule ID: SV-78255r1_rule
Show Details
Medium NTLM must be prevented from falling back to a Null session.
Vuln ID: V-63767
Rule ID: SV-78257r1_rule
Show Details
Medium PKU2U authentication using online identities must be prevented.
Vuln ID: V-63795
Rule ID: SV-78285r1_rule
Show Details
Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
Vuln ID: V-63797
Rule ID: SV-78287r1_rule
Show Details
High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
Vuln ID: V-63799
Rule ID: SV-78289r1_rule
Show Details
Medium The system must be configured to force users to log off when their allowed logon hours expire.
Vuln ID: V-63801
Rule ID: SV-78291r1_rule
Show Details
High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
Vuln ID: V-63803
Rule ID: SV-78293r1_rule
Show Details
Medium The system must be configured to the required LDAP client signing level.
Vuln ID: V-63805
Rule ID: SV-78295r1_rule
Show Details
Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
Vuln ID: V-63807
Rule ID: SV-78297r1_rule
Show Details
Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
Vuln ID: V-63809
Rule ID: SV-78299r1_rule
Show Details
High The Recovery Console option must be set to prevent automatic logon to the system.
Vuln ID: V-63811
Rule ID: SV-78301r1_rule
Show Details
Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
Vuln ID: V-63813
Rule ID: SV-78303r1_rule
Show Details
Medium The system must be configured to require case insensitivity for non-Windows subsystems.
Vuln ID: V-63815
Rule ID: SV-78305r1_rule
Show Details
Low The default permissions of global system objects must be increased.
Vuln ID: V-63817
Rule ID: SV-78307r1_rule
Show Details
Medium User Account Control approval mode for the built-in Administrator must be enabled.
Vuln ID: V-63819
Rule ID: SV-78309r1_rule
Show Details
Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
Vuln ID: V-63821
Rule ID: SV-78311r1_rule
Show Details
Medium User Account Control must automatically deny elevation requests for standard users.
Vuln ID: V-63825
Rule ID: SV-78315r1_rule
Show Details
Medium User Account Control must be configured to detect application installations and prompt for elevation.
Vuln ID: V-63827
Rule ID: SV-78317r1_rule
Show Details
Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
Vuln ID: V-63829
Rule ID: SV-78319r1_rule
Show Details
Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
Vuln ID: V-63831
Rule ID: SV-78321r1_rule
Show Details
Medium User Account Control must virtualize file and registry write failures to per-user locations.
Vuln ID: V-63835
Rule ID: SV-78325r1_rule
Show Details
Medium A screen saver must be enabled on the system.
Vuln ID: V-63837
Rule ID: SV-78327r1_rule
Show Details
Medium The screen saver must be password protected.
Vuln ID: V-63839
Rule ID: SV-78329r1_rule
Show Details
Low Toast notifications to the lock screen must be turned off.
Vuln ID: V-63841
Rule ID: SV-78331r1_rule
Show Details
Medium Zone information must be preserved when saving attachments.
Vuln ID: V-63843
Rule ID: SV-78333r1_rule
Show Details
Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
Vuln ID: V-63845
Rule ID: SV-78335r1_rule
Show Details
Medium The Access this computer from the network user right must only be assigned to the Administrators group.
Vuln ID: V-63847
Rule ID: SV-78337r1_rule
Show Details
High The Act as part of the operating system user right must not be assigned to any groups or accounts.
Vuln ID: V-63849
Rule ID: SV-78339r1_rule
Show Details
Medium The Adjust memory quotas for a process user right must only be assigned to Administrators, Local Service, and Network Service.
Vuln ID: V-63851
Rule ID: SV-78341r1_rule
Show Details
Medium The Allow log on locally user right must only be assigned to the Administrators and Users groups.
Vuln ID: V-63853
Rule ID: SV-78343r1_rule
Show Details
Medium The Back up files and directories user right must only be assigned to the Administrators group.
Vuln ID: V-63855
Rule ID: SV-78345r1_rule
Show Details
Medium The Change the system time user right must only be assigned to Administrators and Local Service.
Vuln ID: V-63857
Rule ID: SV-78347r1_rule
Show Details
Medium The Create a pagefile user right must only be assigned to the Administrators group.
Vuln ID: V-63859
Rule ID: SV-78349r1_rule
Show Details
High The Create a token object user right must not be assigned to any groups or accounts.
Vuln ID: V-63861
Rule ID: SV-78351r1_rule
Show Details
Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
Vuln ID: V-63863
Rule ID: SV-78353r1_rule
Show Details
Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
Vuln ID: V-63865
Rule ID: SV-78355r1_rule
Show Details
Medium The Create symbolic links user right must only be assigned to the Administrators group.
Vuln ID: V-63869
Rule ID: SV-78359r1_rule
Show Details
High The Debug programs user right must only be assigned to the Administrators group.
Vuln ID: V-63871
Rule ID: SV-78361r2_rule
Show Details
Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
Vuln ID: V-63873
Rule ID: SV-78363r1_rule
Show Details
Medium The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
Vuln ID: V-63875
Rule ID: SV-78365r1_rule
Show Details
Medium The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
Vuln ID: V-63877
Rule ID: SV-78367r1_rule
Show Details
Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
Vuln ID: V-63879
Rule ID: SV-78369r2_rule
Show Details
Medium The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
Vuln ID: V-63881
Rule ID: SV-78371r1_rule
Show Details
Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
Vuln ID: V-63883
Rule ID: SV-78373r1_rule
Show Details
Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
Vuln ID: V-63887
Rule ID: SV-78377r1_rule
Show Details
Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
Vuln ID: V-63889
Rule ID: SV-78379r1_rule
Show Details
Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
Vuln ID: V-63891
Rule ID: SV-78381r1_rule
Show Details
Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
Vuln ID: V-63917
Rule ID: SV-78407r1_rule
Show Details
Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
Vuln ID: V-63925
Rule ID: SV-78415r1_rule
Show Details
Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
Vuln ID: V-63927
Rule ID: SV-78417r1_rule
Show Details
Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
Vuln ID: V-63929
Rule ID: SV-78419r1_rule
Show Details
Medium The Modify an object label user right must not be assigned to any groups or accounts.
Vuln ID: V-63931
Rule ID: SV-78421r1_rule
Show Details
Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
Vuln ID: V-63933
Rule ID: SV-78423r1_rule
Show Details
Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
Vuln ID: V-63935
Rule ID: SV-78425r1_rule
Show Details
Medium The Profile single process user right must only be assigned to the Administrators group.
Vuln ID: V-63937
Rule ID: SV-78427r1_rule
Show Details
Medium The Replace a process level token user right must only be assigned to Local Service and Network Service.
Vuln ID: V-63939
Rule ID: SV-78429r1_rule
Show Details
Medium The Restore files and directories user right must only be assigned to the Administrators group.
Vuln ID: V-63941
Rule ID: SV-78431r1_rule
Show Details
Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
Vuln ID: V-63957
Rule ID: SV-78447r1_rule
Show Details
Medium The machine account lockout threshold must be set to 10 on systems with BitLocker enabled.
Vuln ID: V-65681
Rule ID: SV-80171r1_rule
Show Details
Low Windows Update must not obtain updates from other PCs on the Internet.
Vuln ID: V-68817
Rule ID: SV-83409r1_rule
Show Details
Medium Command line data must be included in process creation events.
Vuln ID: V-68819
Rule ID: SV-83411r1_rule
Show Details
Medium PowerShell script block logging must be enabled.
Vuln ID: V-68821
Rule ID: SV-83413r1_rule
Show Details
Medium PowerShell script block invocation logging must be enabled.
Vuln ID: V-68845
Rule ID: SV-83439r1_rule
Show Details
High Data Execution Prevention (DEP) must be configured to at least OptOut.
Vuln ID: V-68849
Rule ID: SV-83445r1_rule
Show Details
High Structured Exception Handling Overwrite Protection (SEHOP) must be turned on.
Vuln ID: V-70637
Rule ID: SV-85259r1_rule
Show Details
Medium The Windows PowerShell 2.0 feature must be disabled on the system.
Vuln ID: V-70639
Rule ID: SV-85261r1_rule
Show Details
Medium The Server Message Block (SMB) v1 protocol must be disabled on the system.